Posted by: David Harley | November 19, 2015

Bypassing iOS authentication

Trend Micro’s blog article Siri’s Flaw: Apple’s Personal Assistant Leaks Personal Data  outlines a number of scenarios where an attacker might be able to take advantage of Siri’s ability to bypass authentication if Siri is not disabled on the lockscreen.

Not something to panic over, but worth checking if you’re a friend of Siri’s.

David Harley


Posted by: David Harley | November 18, 2015

VirusTotal Sandbox for OS X

[Originally posted on the Antimalware Testing blog, but of relevance here.]

Complaints have been made regularly over the years about ‘testers’ who try to assess product performance by throwing them at VirusTotal’s site to see which products flag them as malicious. In fact, I’ve been one of the most persistent critics of this quasi-testing methodology, and a few years ago wrote a paper with Julio Canto, one of the masterminds behind the VT service, about the reasons why it’s a bad methodology.

VirusTotal has moved on since then, in quite a few ways, not least in the technologies it has adopted and the way in which it uses those technologies. While I still don’t in the least regard submission to VT as a substitute for competent product testing, it has, for instance, adopted a form of sandbox testing analogous to the way in which some anti-malware scanners and other sandbox products and services implement behavioural detection.  VT has already addressed ‘Windows PE files in 2012, and Android in 2013‘, and has now added ‘equal treatment for Mac OS X  apps‘.

This perhaps blurs the distinction slightly between VirusTotal’s service and other security services in a way that might cause further confusion among pseudo-testers. But that’s not VT’s fault, and I think the value added to its services more than compensates.

David Harley

Posted by: David Harley | November 18, 2015

Malware Sample Sharing

I’ve just seen a message from a visitor to this site asking whether Mac Virus shares OS X malware samples. I’m answering more or less publicly because it’s far from the first time I’ve been asked about sample sharing (not necessarily Mac-specific samples), and I don’t mind answering it again.

The short answer is yes, but only with people I know and trust, which basically means some of the people I know in the anti-malware industry.

The slightly longer answer is that these days I rarely have occasion to handle a sample myself – I’m a writer, not a hands-on researcher – even if one finds its way onto one of my machines. When that happens, I forward it for further analysis to a company with which I work closely, or to a specialist list outside that company: there are people there far better at sample processing that I am, and who have far access to far better kit. I also know that if it’s a sample that needs to be distributed more widely, that they’ll pass it on through the many channels that exist for that purpose in the security industry.

In fact, I’ve recently (with due care and attention) disposed of my own malware collection, which I maintained primarily for product testing purposes. While I’m still to some extent engaged with the product testing industry through the Anti-Malware Testing Standards Organization (AMTSO) and write about when appropriate (here, for instance) it’s as a commentator, not as an active tester – that phase of my life is long gone.

Oddly enough, a computer magazine once referred to a former incarnation of this site as a source of Mac malware samples. It wasn’t the case then (they did print a retraction subsequently), and it isn’t now. More recently, I stopped writing for one security group because they kept forwarding my address to people who wanted samples.

I know how difficult it can be for someone with an entirely legitimate need for samples to gain the prerequisite trust from the anti-malware industry, but if you’re someone I’d be prepared to share samples with, you already know that this isn’t the place to ask.

But it’s academic. I don’t keep samples myself. Sorry.

David Harley

Posted by: David Harley | November 12, 2015

Security: Android versus iOS

Well, I have no wish to get in between two groups of fanbois, so I’m going to keep my opinions to myself on this occasion as to which platform is most secure. However, Graham Cluley writes for Tripwire about a new study in which Checkmarx and AppSec Labs looked at application security on both platforms, and concluded that a depressingly high proportion of the apps tested had vulnerabilities categorized as ‘critical’ or ‘high severity’. Specifically, 40% of the iOS apps and 36% of the Android apps.

I haven’t looked at the actual study – it requires registration, and I’m picky about the sites I jump through registration hoops to access – but on the basis of those figures, I can’t argue with Graham’s conclusion that ‘…smartphone developers need to raise their game, and write code which respects users’ security and privacy. Apps need to be tested more thoroughly to confirm that they do not have flaws, rather than rushed out of the door.’

David Harley

Posted by: David Harley | November 9, 2015

XcodeGhost: malware not just for Halloween

As I previously observed in a post commenting on FireEye’s commentary, apps haunted by the presence of XcodeGhost are still with us. Paul Ducklin’s blog for NakedSecurity – Apple’s XcodeGhost malware still in the machine… – takes a slightly different angle, drawing parallels with Stuxnet with the Induc epidemic of 2009.

There is indeed a similarity: as I wrote at that time:

[An Induc infection] means that the file contains a piece of code that includes routines to modify files belonging to the Delphi development tool and thereafter, all applications compiled using Delphi will also contain the virus.

The NakedSecurity article summarizes the somewhat analogous way in which XcodeGhost compromises applications generated with the ‘cooked’ version of the Xcode development toolkit, and reinforces the message that there are likely to be compromised apps out there even after Apple removed known-compromised programs from the App Store. It also gives some sound advice for developers on not blindly trusting third party libraries and not scorning the use of anti-malware apps. Apple has all but killed off anti-malware products for iOS, but the critical point here is that (as Paul puts it) we’re talking about

Apple Mac malware that was specially created by crooks in China to create iOS malware.

David Harley

Posted by: David Harley | November 6, 2015

Counting malware: samples, families, and PUPs

Thomas Reed of Malwarebytes responded on Twitter to my article yesterday on OS X Malware: an Attack of Nostalgia:

I read that report, sounds like a lot of what they saw was adware, not true malware. More details:

He’s referring, of course, to Bit9’s report 2015 – The Most Prolific Year in History for OS X Malware.  And since I still haven’t read that report, I’m happy to take his word for it. But as he says in his own article:

It turns out that the findings are completely true, but depend entirely on your definition of the word “malware.”

Which is fair enough. I feel obliged to make two points, however:

  • As I understand it, Bit9 is referring to samples, whereas Thomas alludes to malware families (six in 2014, three in 2015). So, for instance, he refers to XcodeGhost as one threat, rather than counting all the iOS apps that were compromised by exposure to malicious code as separate instances. That’s a perfectly fair way of looking at it, and certainly less unnecessarily scary for the end user, but it’s not comparing like to like. Some may be reminded of the fuss in the 1990s when a vendor artificially increased the number of viruses it claimed to detect by classifying each sample of a polymorphic virus as a separate threat. I still regard that as inappropriate, and it does illustrate a problem with counting samples. (I’m sure Android would agree.) However, with XcodeGhost, we’re talking about a number of individual programs which may be detected as such, rather than generically, so it’s not the same thing. IMHO…
  • Thomas is basically defining ‘possibly unwanted’ software – and certainly adware – as a nuisance rather than malicious. Which, again, he’s entitled to do, but I don’t agree – a great deal of trouble has been caused by programs that can certainly be described as adware, but also meet the definition of a trojan. Again, it’s a matter of definition, I guess, and without analysis of the individual samples cited by Bit9, I can’t say how many of its samples are adware, or another breed of PUP/PUA/PUS (Possibly Unwanted Programs/Applications/Software), or even ‘possibly unsafe’ (a classification used in the security industry for URLs and applications that may be legitimate, but prone to being misused).

Unfortunately, Thomas has highlighted one of the security industry’s weak spots. Some programs are regarded with extreme disfavour by many in the security industry, but are not flagged as malicious for sternly practical reasons. Instead, they’re lumped in with other ‘possibly unwanted’ programs, and it’s usually up to the AV user to decide whether or not to activate detection of programs so categorized. So it may well be that some or even many of the samples flagged by Bit9 and Carbon Black won’t be flagged as malicious by security products by default. :(

David Harley

Posted by: David Harley | November 5, 2015

OS X Malware: an Attack of Nostalgia

Once upon a time (back when I wrote an FAQ document on ‘Viruses and the Macintosh’ (which is still around in cobwebby bits of the internet, but hopelessly outdated), it was actually feasible to list all the Macintosh malware known at that time. In fact, the ‘Pre-OS X malware‘ page on this site is founded on the last version of that document, updated when I still had some control over where it resided.

And for quite a while, the same applied to OS X malware. Not any more. I haven’t actually looked at Bit9’s report 2015 – The Most Prolific Year in History for OS X Malware because it requires registration, but John Leyden’s article for The Register  tells us in summary that ‘This year, there have been 948 OS X malware samples, compared with 180 in the years 2011-14 inclusive.” There’s no need to panic: 90% of 2015 samples analysed by Bit9 and Carbon Black use the version of the Load command superseded in 2012 with the release of OS X 10.8 (Mountain Lion).

By comparison, Leyden cites the number of malicious Windows samples as exceeding 20 million ‘even on the more conservative counts’. Well, that isn’t technically incorrect, but would be a ridiculously conservative count: the product testing organization AV-Test claims to have registered 143 million samples in 2014 alone, with well over 120 million registered to date for 2015. The AV-Test page doesn’t break down those numbers by platform, but most of those samples are certainly Windows-targeting, and most of the rest targeting Android, which I’d estimate informally as somewhere between one and two million, perhaps a little more.

Compared to those figures, OS X still looks very peaceful. However, while I didn’t deliberately abandon the list of OS X malware on this page in 2011, I don’t think it would be particularly useful to try to catch up now in the hope of listing all current OS X malware. I’m not at present planning to update the Timeline page either, though that’s more a matter of time management.

David Harley 


Posted by: David Harley | November 5, 2015

XcodeGhost – not yet Exorcised

…certainly not according to FireEye, whose researchers tell us that a wide range of industries are still running apps compromised by XcodeGhost-compromised apps, information based on their observations of attempts to connect to its C&C servers. The article includes a link to the 20 most active apps out of 152 monitored.

While some of the infected devices are running 9.x.x, around 70% are running on older versions. While I don’t have a problem in principle with encouraging people to upgrade to the latest version (as advocated by FireEye), it’s worth remembering that:

  1. The first release of a new iOS version sometimes seems to include some security flaws: as with all software updates, sometimes stuff gets broken that worked OK before. That doesn’t mean you shouldn’t upgrade, but it’s a good idea to keep track of early issues and minor updates.
  2. There are a lot of devices that can’t be updated to 9.x: to the best of my knowledge – I don’t track these things generally – these include iPhones prior to the 4s, versions of the iPod touch prior to the 5th Generation, and 1st Generation iPads.
  3. System updates don’t fix everything. In fact, FireEye’s article includes a little information on a variant ‘S’ that specifically addresses iOS 9 and is intended to bypass static detection.

David Harley

Posted by: David Harley | November 2, 2015

How much is a 0-day worth?

$1,000,000 to Zerodium, apparently. The company acquires 0-day exploits and sells them to ‘major corporations in defense, technology, and finance … as well as government organizations in need of specific and tailored cybersecurity capabilities.’

Back in September, the company offered a $1m bounty for exclusive hacks offering a way to take over an iOS 9.* device remotely via a browser-based, untethered jailbreak. I guess we can assume it expects to make a healthy profit on such hacks.

And sure enough, Zerodium has announced that one team has made a remote browser-based iOS untethered jailbreak that works on iOS 9.1/9.2b.

I’d love to tell you more about it, but I don’t think I can afford to be one of Zerodium’s customers. There are some more speculative responses from researchers quoted in a Motherboard article here. Unsurprisingly, I suppose, it seems that Apple hasn’t responded.

HT to Artem I. Baranov for flagging the announcement.

David Harley

Posted by: David Harley | October 26, 2015

Glass Houses and Open Back Doors

An article by Richard Chirgwin for the Register – You own the software, Feds tell Apple: you can unlock it – sums up neatly the current argument in the US Federal Court about Apple’s reluctance to bypass the iPhone lockscreen, which the company states it cannot do on its latest iOS versions (8 and higher): he talks about ‘the Feds claiming in court that Cupertino’s license agreement gives it the right to do what the government tells it.’

Shades of Marriot Edgar’s monologue on the Magna Carta, as immortalized by Stanley Holloway:

…in England to-day we can do what we like,
So long as we do what we’re told.

The current case concerns an iPhone 5s running iOS7, so Apple could bypass the lockscreen in this instance (as it has in the past in order to cooperate with law enforcement), but has presented a number of arguments against doing so in this instance.

The Electronic Frontier Foundation asserts that the US government argument ‘…runs counter to basic principles of user autonomy’ and doesn’t feel that the All Writs Act carries much weight in this context. Apple’s later response is based on the arguments that:

  • All Writs Act Authority Does Not Apply to Matters Covered by CALEA, or Specifically Omitted – in other words,  ‘the All Writs Act does not apply when another statutory scheme addresses the issue or Congress has consciously determined not to take action.’
  • Even if the All Writs Act Applies, it Cannot Require Apple to Provide Expert Forensic Services on a Device it Does Not Own or Possess
  • This Case is Unlike Other Cases Upholding Use of the All Writs Act

The EFF is not breaking new ground by pointing out that ‘these one-sided end-user license agreements, or EULAs, are both exceedingly common and a raw deal for users.’ Mark Minasi’s book from 2000 on ‘The Software Conspiracy’ points out that even then, virtually all licenses tried to limit the customer’s ability to rent out the software, and even to sell it or give it away.

(He also talked about software ‘sold’ on an annual basis, the customer being required to renew the licence at the end of the year, and cited a case I remember well, where an antivirus software license prohibited a customer from reviewing the product without the permission of the vendor. Well, having worked with companies who’ve been badly mauled by incompetent reviews, I’m not entirely unsympathetic to that last one…)

It’s probable (or at any rate generally assumed) that most people don’t bother to scroll through interminable multi-screen EULAs to see exactly what they’re signed up to: I suspect that many would be taken aback if it turned out that those agreements include an implicit understanding that any vendor might be forced to carry out forensic analysis on the government’s behalf. Out in the real world, though, this is often already the case. In this instance, though, it may be that the case will ultimately stand or fall on constitutional issues, notably the Fourth Amendment. But let’s not be naive about this: nowadays, most governments will press for an opportunity to get a copy of our back door keys.

David Harley


Older Posts »



Get every new post delivered to your Inbox.

Join 53 other followers